AMC database exposed 1.6 million Shudder and Sundance NOW users

Security Discovery's Cyber Threat Intelligence Director Bob Diachenko has disclosed the discovery of an exposed AMC database related to the company's Sundance NOW and Shudder online video services. After getting in touch with the company, which reportedly required multiple attempts, AMC was alerted about the issue and has taken down the exposed database.

The issue was detailed by Security Discovery on May 3, a couple days after the publicly accessible MongoDB instance was discovered. According to a post by Diachenko, the database appeared to house data related to Shudder and Sundance NOW, both of which are premium AMC Networks services.

More than 1.6 million records had some subscriber data related to both services, including subscription status, when the subscription was started and cancelled, and the users' country, names, and email addresses. As well, there were more than 3,300 links to Stripe invoices that reportedly contained users' names, email addresses, and the last four digital of their credit card numbers.

The database reportedly also contained some other info, including users' city/state/zip codes, details on the streaming devices they used, their IP addresses, and some unspecified metadata. There were also links that led to 'internal catalogue data and other metadata info,' according to the Security Discovery post.

Diachenko detailed some issues with contacting AMC about the exposed data, saying in this post, "...it was almost impossible to employ a responsible disclosure procedure here, since all emails and contacts related to privacy and security were bouncing back." AMC was eventually contacted through a third party on Diachenko's behalf and the database was taken down.